10/023,043 Patent 
AMENDMENT AND PRESENTATION OF CLAIMS 
Please replace all prior claims in the present application with the following claims, in 
which claims 1,9, 16, and 21 are currently amended, and no claims are canceled, withdrawn, or 
newly presented. 

1. (Currently Amended) A network system that resists denial of service attacks on an access 
link to a destination host belonging to a virtual private network (VPN), said network system 
comprising: 

one or more egress boundary routers having connections to an access network including the 
access link, wherein said one or more egress boundary routers transmit intra- VPN traffic 
toward the destination host fi-om sources within the VPN within a first access network 
logical connection for intra- VPN traffic and all extra- VPN traffic toward the destination 
host fi:om sources outside the VPN within s e parat e a second access network logical 
connection connootiono for intra VPN and extra- VPN traffic, separate fi'om the first 
access network logical connection r e Gp e otiv e ly ; and 

a pluraHty of ingress boundary routers coupled to the one or more egress boundary routers for 
communication utilizing a network-based VPN protocol that logically partitions intra- 
VPN and extra-VPN traffic, such that denial of service attacks on said access link 
originating from sources outside the VPN can be are prevented. 

2. (Original) The network system of Claim 1, and fiirther comprising a Differentiated 
Services network coupling at least one of the plurality of ingress boundary routers and at least 
one of the one or more egress boundary routers. 
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3. (Original) The network system of Claim 1, and further comprising a plurality of customer 
premises equipment (CPE) edge routers each coupled to a respective one of said plurality of 
ingress boundary routers. 

4. (Original) The network system of Claim 1, and further comprising the access network. 

5. (Original) The network system of Claim 4, and further comprising a customer 
premises equipment (CPE) edge router to the access link. 

6. (Original) The network system of Claim 5, said CPE edge router having a physical 
port coupled to said access link, said physical port implementing a first logical port for intra- 
VPN traffic and a second logical port for extra- VPN traffic. 

7. (Original) The network system of Claim 1, wherein at least one of said plurality of 
ingress boundary routers implements a plurality of tunnels that logically partition intra- VPN 
and extra- VPN traffic. 

8. (Original) The network system of Claim 1, wherein said one or more egress boundary 
routers provide a plurality of different qualities of services to said intra- VPN traffic. 

9. (Currently Amended) A network system, comprising: 

an access network having an access link to a destination host belonging to a vutual private 
network (VPN), wherein said access network supports a fu-st logical connection for intra- 
VPN traffic from sources within the VPN and a second logical connection for extra-VPN 
traffic from sources outside the VPN; 
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one or more egress boundary routers having connections to the access network, wherein said 
one or more egress boundary routers transmit intra- VPN traffic toward the destination 
host via the first logical connection and aU extra- VPN traffic toward the destination host 
via the second logical connection; and 
a plurality of ingress boundary routers coupled to the one or more egress boundary routers for 
communication utilizing a network-based VPN protocol that logically partitions intra- 
VPN and extra- VPN traffic, such that denial of service attacks on said access link 
originating from sources outside the VPN can be are prevented. 

10. (Original) The network system of Claim 9, and further comprising a Differentiated 
Services network coupling at least one of the plurality of ingress boundary routers and at least 
one of the one or more egress boundary routers. 

11. (Original) The network system of Claim 9, and further comprising a plurality of 
customer premises equipment (CPE) edge routers each coupled to a respective one of said 
plurahty of ingress boundary routers. 

12. (Original) The network system of Claim 9, and further comprising a customer 
premises equipment (CPE) edge router to the access link. 

13. (Original) The network system of Claim 12, said CPE edge router having a physical port 
coupled to said access link, said physical port implementing a first logical port for intra- VPN 
traffic and a second logical port for extra- VPN traffic. 



4 



10/023,043 Patent 

14. (Original) The network system of Claim 9, wherein at least one of said plurality of 
ingress boundary routers implements a plurality of tunnels that logically partition intra- VPN and 
extra-VPN traffic. 

15. (Original) The network system of Claim 9, wherein said one or more egress boundary 
routers provide a plurality of different qualities of services to said intra- VPN traffic. 

16. (Currently Amended) A method of protecting an access link to a destination host 
belonging to a virtual private network (VPN) against denial of service attacks, said method 
comprising: 

in an access network including the access link, providing a first logical connection for intra- 
VPN traffic from sources within the VPN and a second logical connection for extra- VPN 
traffic from sources outside the VPN; 

communicating, from a plurality of ingress boundary routers to one or more egress boundary 
routers, intra- VPN and extra- VPN traffic destined for said destination host, wherein said 
intra- VPN traffic and said extra- VPN traffic are transmitted utilizing a network-based 
VPN protocol that logically partitions intra- VPN and extra-VPN traffic; 

transmitting intra- VPN traffic from said one or more egress boundary routers toward the 
destination host via the first logical connection, and transmitting all extra- VPN traffic 
from said one or more egress boundary routers toward the destination host via the second 
logical connection, such that denial of service attacks on said access link originating from 
sources outside the VPN can b e are prevented. 
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17. (Original) The method of Claim 16, wherein said communicating comprises 
communicating utilizing a Differentiated Services protocol. 



18. (Original) The method of Claim 16, wherein a customer premises equipment (CPE) 
edge router is coupled between said access network and said destination host, said method further 
comprising: 

at a physical port of the CPE edge router coupled to the access hnk, providing first and 

second logical ports; and 
receiving intra- VPN traffic at the first logical port, and receiving extra- VPN traffic at the 

second logical port. 

19. (Original) The method of Claim 16, and further comprising logically partitioning intra- 
VPN and extra-VPN traffic by at least one of said plurality of ingress boundary routers utilizing a 
plurality of tunnels. 

20. (Original) The method of Claim 16, and further comprising said one or more egress 
boundary routers providing a plurality of different qualities of services to said intra- VPN traflfic. 

21. (Currently Amended) A method for resisting denial of service attacks on an access link 
to a destination host included in a VPN, the method comprising the steps of: 

assigning a first priority level to intra-VPN traffic flowing firom sources included in the VPN; 
assigning a second priority level to extra- VPN traffic flowing fi-om sources outside the VPN; 
granting, to traffic having the first priority level at the access link, precedence of access to the 
destination host over traffic having the second priority level; and 
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transmitting the intra- VPN traffic from one or more egress boundary routers toward the 
destination host via a first logical connection, and transmitting all extra- VPN traffic from 
said one or more egress boundary routers toward the destination host via a second logical 
connection. 
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